CVE-2021-43954

CWE-918Server-Side Request Forgery (SSRF)3 documents3 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 65.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Atlassian CrucibleAtlassian Fisheye
Timeline
PublishedMar 14
Latest updateMar 15

Description

The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

CVEListV5atlassian/fisheyeunspecified4.8.9
NVDatlassian/fisheye< 4.8.9
CVEListV5atlassian/crucibleunspecified4.8.9
NVDatlassian/crucible< 4.8.9

🔴Vulnerability Details

2
GHSA
GHSA-w6c2-26pj-hpq6: The DefaultRepositoryAdminService class in Fisheye and Crucible before version 42022-03-15
CVEList
CVE-2021-43954: The DefaultRepositoryAdminService class in Fisheye and Crucible before version 42022-03-14
CVE-2021-43954 (MEDIUM CVSS 4.3) | The DefaultRepositoryAdminService c | cvebase.io